Hi All,
I am Maloy Roy Orko.
Recently in one of my pentest research, I found a Online-Travling-System application By Script And Tools which is an open source Online-Travling-System.
It is made with PHP, MYSQL, JAVASCRIPT.
Curious to explore its functionalities downloaded and set it up in my local system.
After fiddling with the source code, I found that it did not have any kind of Proper Access Management in /admin/addadvertisement.php file. This file cam be accessed by anyone even without logging in!
It can lead into:
- Malware Distribution
- Unauthorized Access
- Data Breac
- Web Shell Installation
- Reputation Damage
The Main Thing Is,If any NON-IT personal uses this template,he will fall into this vulnerability and his companies reputation can be lost too.Thats why I am trying to inform everyone about this.
Title of the Vulnerability:
Script And Tools | Online-Travling-System | Broken Access Control In /admin/addadvertisement.php
Vulnerability Class: Broken Access Control
Product Name: Online-Travling-System
Vendor: https://github.com/scriptandtools/
Vulnerable Product Link: https://github.com/scriptandtools/Online-Travling-System-Php
Technical Details & Description: The application source code is coded in a way which allows To Access /admin/addadvertisement.php without Any Verification.
Product & Service Introduction: Online-Travling-System
Observation & Exploitation:
Here,The Vulnerable File Is:
/admin/addadvertisement.php
Lets Exploit 🌠🗝️🔐:
First,Go To The Vulnerable Location:
Example: http://192.168.0.100:8080/OTS/admin/addadvertisement.php
See,You Can Add Fraudulent Advertisements Without Any Login Credentials Or Logging in.
So,This indicates that the /admin/addadvertisement.php is vulnerable to Broken Access Control As We Can Access An Administrator Feature Without Any Authorization !
Conclusion :-
The main aim of this article is to show that if any NON-IT personal uses this template,he will fall into this vulnerability and his companies reputation can be lost too. But I also hope that it helps to give you ideas of how combining attacks can make them much more potent.